No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
NE20E-S V800R011C10 Configuration Guide - IPv6 Transition 02
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring NAT Security

Configuring NAT Security

NAT security can be implemented by setting the maximum number of NAT sessions that can be established and the rate at which the first packet is sent to create a flow for a specific user.

Usage Scenario

You can deploy the NAT security function to guarantee secure operations on a NAT device and prevent attacks.

Pre-configuration Tasks

Before configuring the NAT security function, complete the following task:

  • Configure basic NAT functions.
  • Configure NAT for traffic.

Configuring a Limit on the Maximum Number of User-to-Network NAT Sessions

To prevent individual users from consuming excessive session table resources to cause failures to establish connections for other users, you can set a limit on the maximum number of user-to-network NAT sessions that can be established for a specific user.

Context

If the number of established Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP) NAT sessions, or the total number of NAT sessions involving the same source IP address exceeds a configured threshold, a device stops establishing such sessions. The limit helps prevent resource overconsumption from resulting in a failure to establish connections for other users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat instance instance-name [ id id ]

    The NAT instance view is displayed.

  3. (Optional) Run nat session-limit enable

    The user-based NAT session number limit function is enabled.

    This function is enabled by default.

  4. Run nat session-limit { tcp | udp | icmp | total } session-number

    The maximum number of NAT sessions that can be established is set.

  5. Run commit

    The configuration is committed.

Configuring a Limit on the Maximum Number of Network-to-User NAT Sessions

To prevent individual users from consuming excessive session table resources to cause failures to establish connections for other users, you can set a limit on the maximum number of network-to-user NAT sessions that can be established for a specific user.

Context

If the number of established Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP) NAT sessions, or the total number of NAT sessions involving the same destination IP address exceeds a configured threshold, a device stops establishing such sessions. The limit helps prevent resource overconsumption from resulting in a failure to establish connections for other users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat instance instance-name [ id id ]

    The NAT instance view is displayed.

  3. (Optional) Run nat reverse-session-limit enable

    The device is enabled to monitor the number of established user-specific network-to-user NAT sessions.

    This function is enabled by default.

  4. Run nat reverse-session-limit { tcp | udp | icmp | total } session-number

    The maximum number of NAT sessions that can be established is set.

  5. Run commit

    The configuration is committed.

Setting the Rate at Which Packets Are Sent to Create a Flow for a User

A device can be configured to dynamically detect the traffic forwarding rate and limit the rate at which packets are sent to create a flow for each user.

Context

A NAT device with a multi-core structure allows flow construction and forwarding processes to share CPU resources. To minimize or prevent NAT packet loss and a CPU usage increase, the device has to maintain a proper ratio of the forwarding rate to the flow creation rate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat instance instance-name [ id id ]

    The NAT instance view is displayed.

  3. (Optional) Run nat user-session create-rate limit enable

    The limit on the rate at which packets are sent to create a user flow is set.

  4. Perform either of the following operations:

    • If the rate accuracy is low, run nat user-session create-rate rate
    • If the rate accuracy is high, run nat user-session create-rate extended-range rate

    If both the nat user-session create-rate extended-range and nat user-session create-rate commands are run, the latest configuration takes effect.

  5. Run commit

    The configuration is committed.

Configuring the Rate Limit at Which the First Packet Is Sent to Create a Flow

Limiting the rate at which the first packet is sent to the CPU of a service board to create a flow prevents users from using a large number of CPU resources through first packet attack and thereby ensuring the forwarding of normal traffic.

Context

The NAT blacklist function defends a device against attacks initiated by sending network-side first packets with a specified set of a public IP address, a port number, and a protocol ID or to all IP addresses. If no internal service is configured or if public network traffic does not match entries in a session table on a NAT device, the NAT device considers traffic transmitting at a rate reaching a specified threshold as attack traffic. The NAT device adds the IP address and UDP or TCP destination port number of attack traffic to a NAT blacklist. Once network-side attack traffic matches the blacklist, the NAT device drops the traffic or collects statistics about the traffic.

The NAT blacklist-based detection is performed in either of the following modes:
  • Address-level detection: An address-level rate threshold is set for a NAT device to detect attacks only on IP addresses.
  • Port-level detection: A port-level rate threshold is set for a NAT device to detect attacks using packets with a specified IP address, a specified port number, and a specified protocol ID.

In VS mode, this configuration process is supported only by the admin VS.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run nat flow-defend reverse-blacklist disable

    The blacklist on a new flow from the public network to the private network is disabled.

  3. Run nat flow-defend { forward | fragment | reverse } rate rate-number slot slot-id

    The rate at which the first packet is sent to the CPU of a service board to create a flow is set.

  4. Run nat flow-defend reverse-blacklist detect-threshold ip-port-level high-threshold

    The port-level rate threshold for generating entries in a reverse NAT blacklist is set.

  5. Run nat flow-defend reverse-blacklist detect-threshold ip-level high-threshold

    The address-level rate threshold for generating entries in a reverse NAT blacklist is set.

  6. Run commit

    The configuration is committed.

Checking the Configurations

After completing the configurations, you can run the following commands to check the configurations.

  • Run the display nat flow-defend reverse-blacklist command to check information about blacklist entries of the reverse first packets on the CPU.

Verifying the NAT Security Configuration

After configuring the NAT security functions, you can run display commands to check the configuration.

Prerequisites

NAT security functions have been configured.

Procedure

  • Run the display nat flow-defend { forward | reverse | fragment } rate [ slot slot-id ] command to check the configured rate at which the first packet is sent to create a flow for a user.
  • Run the display nat user-information { cpe ipv4 ipv4-address | session-discard } [ slot slot-id ] [ verbose ] command to check NAT user information.
Download
Updated: 2020-02-07

Document ID: EDOC1100125510

Views: 29191

Downloads: 18

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :